Vulnerability Events not showing in Wazuh

36 views
Skip to first unread message

Deepak Kumar

unread,
Dec 22, 2025, 11:04:54 AM12/22/25
to Wazuh | Mailing List
Hi Team,

I have installed Wazuh around 1 months back and i never see Vulbernility events in dashboard and never see email from Wazuh server. I am able to see vulbernilities in Dashboard but not able to see any event related to New vulnerability or Resoled vulnerbilities. Can you please help me what causing the issue and how can i fix this. 

Also if you can let me know how can i enable different Security Operations in Wazuh. 


Screenshot 2025-12-22 211418.pngScreenshot 2025-12-22 211449.png

Screenshot 2025-12-22 211607.png

Bony V John

unread,
Dec 22, 2025, 10:46:43 PM12/22/25
to Wazuh | Mailing List
Hi,

Please allow me some time, I'm working on this and will get back to you with an update as soon as possible.

Bony V John

unread,
Dec 23, 2025, 12:22:24 AM12/23/25
to Wazuh | Mailing List
Hi,

First, I will explain how vulnerability alerts are generated in Wazuh.

The Vulnerability Detection module generates alerts when new vulnerabilities appear or when existing vulnerabilities are resolved, for example after package updates, removals, or system upgrades. However, not every detected change generates an alert. Whether an alert is created depends on when and how the change is detected.

Operating system alerts

  • No alerts are generated during the initial inventory scan.

  • When a Wazuh agent first synchronizes with the manager, the current operating system version and installed patches are treated as baseline data, not changes.

  • Alerts are generated only in later scans when:

    • The operating system version changes, or

    • New patches are applied after the baseline has already been established.

If the OS was upgraded or patched before the agent completed its first synchronization, no alert will be generated.

Package alerts

Package related vulnerability alerts are generated only when a vulnerability enters or leaves the inventory due to:

  • Package installation

  • Package removal

These changes must be detected during a scheduled Syscollector scan.

No alerts are generated if:

  • The package change occurs while the Wazuh agent is stopped.

  • The change is detected immediately after an agent restart, before a new inventory baseline is established.

For package vulnerability alerts to trigger, the agent must be running continuously and the change must be detected in a post baseline Syscollector scan.


For troubleshooting, you can follow the below steps:

Verify Syscollector is running on the agent, run the following command on the endpoint:
cat /var/ossec/logs/ossec.log | grep -iE "syscollector"

If it is running correctly, for example every hour, you should see logs similar to:

2025/12/22 22:25:36 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/12/22 22:25:40 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/12/22 23:26:31 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/12/22 23:26:47 wazuh-modulesd:syscollector: INFO: Evaluation finished.

If you do not see these entries, please recheck the Syscollector configuration in the agent ossec.conf file. You can refer to the Wazuh documentation for guidance.

Check for agent synchronization issues on the manager, run the following command on the Wazuh manager:
cat /var/ossec/logs/ossec.log | grep -iE "sync|error|warn"

Vulnerability alerts are indexed into the wazuh-alerts index. Please ensure that other alerts are appearing in the Threat Hunting dashboard.  

Check whether any changes were made to the default rules file on the manager:  /var/ossec/ruleset/rules/0520-vulnerability-detector_rules.xml 
If you have modified this file, please let us know what changes were made.  

For checking, install a package with at least one low severity vulnerability on a monitored endpoint while the agent is running. After the next  Syscollector scan cycles, check whether the alert is triggered.

You can also run the following curl command to query the Wazuh Indexer directly and check whether vulnerability alerts have already been indexed:  

curl -k -u admin:<password> \
"https://<indexer-IP>:9200/wazuh-alerts-*/_search?pretty" \
-H 'Content-Type: application/json' \
-d '{
  "query": {
    "term": {
      "rule.groups": "vulnerability-detector"
    }
  }
}'

Replace <password> with your Wazuh Dashboard admin user credentials, and replace <INDEXER_IP> with your Wazuh Indexer server IP address.

Check whether this command returns any alerts in the output.

Please share the output of the above commands so we can review them and assist you further.

Reply all
Reply to author
Forward
0 new messages